* [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation
@ 2025-03-18 13:59 Christoph Heiss
2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw)
To: pmg-devel
First and foremost, fixes #6214 [0].
The second patch just adds some more validation on the UI side of
things. While not strictly related to #6214, it's a nice touch.
[0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214
pmg-api:
Christoph Heiss (1):
auth: oidc: fix pattern for `client-id` and `client-key`
src/PMG/Auth/OIDC.pm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
proxmox-widget-toolkit:
Christoph Heiss (1):
window: AuthEditOpenId: add validation for some required fields
src/Utils.js | 4 ++++
src/window/AuthEditOpenId.js | 8 ++++++++
2 files changed, 12 insertions(+)
--
2.48.1
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` 2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss @ 2025-03-18 13:59 ` Christoph Heiss 2025-06-26 10:46 ` [pmg-devel] applied: " Stoiko Ivanov 2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss 2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss 2 siblings, 1 reply; 6+ messages in thread From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw) To: pmg-devel Fixes #6214 [0]. As per RFC 6749 Appendix A [1], `client-id` and `client-key` can contain any printable ascii character, i.e. anything in the (inclusive) range 0x20-0x7E. Reflect that in the pattern. [0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214 [1] https://www.rfc-editor.org/rfc/rfc6749#appendix-A Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> --- src/PMG/Auth/OIDC.pm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm index b2b1a05..5f797d1 100755 --- a/src/PMG/Auth/OIDC.pm +++ b/src/PMG/Auth/OIDC.pm @@ -61,18 +61,22 @@ sub properties { maxLength => 256, pattern => qr/^(https?):\/\/([a-zA-Z0-9.-]+)(:[0-9]{1,5})?(\/[^\s]*)?$/, }, + # See RFC 6749, Appendix A for the allowed pattern for `client-id` and + # `client-key`. + # https://www.rfc-editor.org/rfc/rfc6749#appendix-A + # tl;dr: anything ASCII in the (inclusive) range 0x20-0x7E 'client-id' => { description => "OpenID Connect Client ID", type => 'string', maxLength => 256, - pattern => qr/^[a-zA-Z0-9._:-]+$/, + pattern => qr/^[\x20-\x7E]+$/, }, 'client-key' => { description => "OpenID Connect Client Key", type => 'string', optional => 1, maxLength => 256, - pattern => qr/^[a-zA-Z0-9._:-]+$/, + pattern => qr/^[\x20-\x7E]+$/, }, autocreate => { description => "Automatically create users if they do not exist.", -- 2.48.1 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` 2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss @ 2025-06-26 10:46 ` Stoiko Ivanov 0 siblings, 0 replies; 6+ messages in thread From: Stoiko Ivanov @ 2025-06-26 10:46 UTC (permalink / raw) To: Christoph Heiss; +Cc: pmg-devel applied this one after skimming through the RFC - thanks for the patch! On Tue, 18 Mar 2025 14:59:17 +0100 Christoph Heiss <c.heiss@proxmox.com> wrote: > Fixes #6214 [0]. > > As per RFC 6749 Appendix A [1], `client-id` and `client-key` can contain > any printable ascii character, i.e. anything in the (inclusive) range > 0x20-0x7E. > > Reflect that in the pattern. > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214 > [1] https://www.rfc-editor.org/rfc/rfc6749#appendix-A > > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> > --- > src/PMG/Auth/OIDC.pm | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm > index b2b1a05..5f797d1 100755 > --- a/src/PMG/Auth/OIDC.pm > +++ b/src/PMG/Auth/OIDC.pm > @@ -61,18 +61,22 @@ sub properties { > maxLength => 256, > pattern => qr/^(https?):\/\/([a-zA-Z0-9.-]+)(:[0-9]{1,5})?(\/[^\s]*)?$/, > }, > + # See RFC 6749, Appendix A for the allowed pattern for `client-id` and > + # `client-key`. > + # https://www.rfc-editor.org/rfc/rfc6749#appendix-A > + # tl;dr: anything ASCII in the (inclusive) range 0x20-0x7E > 'client-id' => { > description => "OpenID Connect Client ID", > type => 'string', > maxLength => 256, > - pattern => qr/^[a-zA-Z0-9._:-]+$/, > + pattern => qr/^[\x20-\x7E]+$/, > }, > 'client-key' => { > description => "OpenID Connect Client Key", > type => 'string', > optional => 1, > maxLength => 256, > - pattern => qr/^[a-zA-Z0-9._:-]+$/, > + pattern => qr/^[\x20-\x7E]+$/, > }, > autocreate => { > description => "Automatically create users if they do not exist.", _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields 2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss 2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss @ 2025-03-18 13:59 ` Christoph Heiss 2025-06-26 10:47 ` Stoiko Ivanov 2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss 2 siblings, 1 reply; 6+ messages in thread From: Christoph Heiss @ 2025-03-18 13:59 UTC (permalink / raw) To: pmg-devel For the `client-id` and `client-secret` OIDC-specific fields, allow the format specified in RFC 6749, Appendix A [0]. As per that, the OIDC-specific `client-id` and `client-key` can contain any printable ascii character, i.e. anything in the (inclusive) range 0x20-0x7E. For the issuer URL, use our existing URL validation regex, while the realm name itself must follow authentication realm naming scheme. [0] https://www.rfc-editor.org/rfc/rfc6749#appendix-A Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> --- src/Utils.js | 4 ++++ src/window/AuthEditOpenId.js | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/src/Utils.js b/src/Utils.js index c873c85..e17bee8 100644 --- a/src/Utils.js +++ b/src/Utils.js @@ -1545,6 +1545,10 @@ utilities: { // Same as SAFE_ID_REGEX in proxmox-schema me.safeIdRegex = /^(?:[A-Za-z0-9_][A-Za-z0-9._\\-]*)$/; + + me.printableAsciiRegex = /^[\x20-\x7E]+$/; + + me.authRealmNameRegex = /^[A-Za-z][A-Za-z0-9.\-_]+$/; }, }); diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js index ed0a6dc..5939516 100644 --- a/src/window/AuthEditOpenId.js +++ b/src/window/AuthEditOpenId.js @@ -23,6 +23,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { name: 'issuer-url', fieldLabel: gettext('Issuer URL'), allowBlank: false, + regex: Proxmox.Utils.httpUrlRegex, + regexText: gettext('Must be a valid URL'), }, ], @@ -36,6 +38,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { }, fieldLabel: gettext('Realm'), allowBlank: false, + regex: Proxmox.Utils.authRealmNameRegex, + regexText: gettext('Must be a valid realm name'), }, { xtype: 'proxmoxcheckbox', @@ -57,6 +61,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { fieldLabel: gettext('Client ID'), name: 'client-id', allowBlank: false, + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A + regexText: gettext('Must be a valid OIDC Client ID'), }, { xtype: 'proxmoxtextfield', @@ -65,6 +71,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { deleteEmpty: '{!isCreate}', }, name: 'client-key', + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A + regexText: gettext('Must be a valid OIDC Client Secret'), }, ], -- 2.48.1 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields 2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss @ 2025-06-26 10:47 ` Stoiko Ivanov 0 siblings, 0 replies; 6+ messages in thread From: Stoiko Ivanov @ 2025-06-26 10:47 UTC (permalink / raw) To: Christoph Heiss; +Cc: pmg-devel On Tue, 18 Mar 2025 14:59:18 +0100 Christoph Heiss <c.heiss@proxmox.com> wrote: > For the `client-id` and `client-secret` OIDC-specific fields, allow the > format specified in RFC 6749, Appendix A [0]. > > As per that, the OIDC-specific `client-id` and `client-key` can contain > any printable ascii character, i.e. anything in the (inclusive) range > 0x20-0x7E. > > For the issuer URL, use our existing URL validation regex, while the > realm name itself must follow authentication realm naming scheme. > > [0] https://www.rfc-editor.org/rfc/rfc6749#appendix-A > > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> not a maintainer for widget-toolkit - but from looking through the RFC consider this: Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com> > --- > src/Utils.js | 4 ++++ > src/window/AuthEditOpenId.js | 8 ++++++++ > 2 files changed, 12 insertions(+) > > diff --git a/src/Utils.js b/src/Utils.js > index c873c85..e17bee8 100644 > --- a/src/Utils.js > +++ b/src/Utils.js > @@ -1545,6 +1545,10 @@ utilities: { > > // Same as SAFE_ID_REGEX in proxmox-schema > me.safeIdRegex = /^(?:[A-Za-z0-9_][A-Za-z0-9._\\-]*)$/; > + > + me.printableAsciiRegex = /^[\x20-\x7E]+$/; > + > + me.authRealmNameRegex = /^[A-Za-z][A-Za-z0-9.\-_]+$/; > }, > }); > > diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js > index ed0a6dc..5939516 100644 > --- a/src/window/AuthEditOpenId.js > +++ b/src/window/AuthEditOpenId.js > @@ -23,6 +23,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { > name: 'issuer-url', > fieldLabel: gettext('Issuer URL'), > allowBlank: false, > + regex: Proxmox.Utils.httpUrlRegex, > + regexText: gettext('Must be a valid URL'), > }, > ], > > @@ -36,6 +38,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { > }, > fieldLabel: gettext('Realm'), > allowBlank: false, > + regex: Proxmox.Utils.authRealmNameRegex, > + regexText: gettext('Must be a valid realm name'), > }, > { > xtype: 'proxmoxcheckbox', > @@ -57,6 +61,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { > fieldLabel: gettext('Client ID'), > name: 'client-id', > allowBlank: false, > + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A > + regexText: gettext('Must be a valid OIDC Client ID'), > }, > { > xtype: 'proxmoxtextfield', > @@ -65,6 +71,8 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', { > deleteEmpty: '{!isCreate}', > }, > name: 'client-key', > + regex: Proxmox.Utils.printableAsciiRegex, // RFC 6749, Appendix A > + regexText: gettext('Must be a valid OIDC Client Secret'), > }, > ], > _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation 2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss 2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss 2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss @ 2025-05-16 10:13 ` Christoph Heiss 2 siblings, 0 replies; 6+ messages in thread From: Christoph Heiss @ 2025-05-16 10:13 UTC (permalink / raw) To: pmg-devel Ping, still applies. On Tue Mar 18, 2025 at 2:59 PM CET, Christoph Heiss wrote: > First and foremost, fixes #6214 [0]. > > The second patch just adds some more validation on the UI side of > things. While not strictly related to #6214, it's a nice touch. > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=6214 > > pmg-api: > > Christoph Heiss (1): > auth: oidc: fix pattern for `client-id` and `client-key` > > src/PMG/Auth/OIDC.pm | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > proxmox-widget-toolkit: > > Christoph Heiss (1): > window: AuthEditOpenId: add validation for some required fields > > src/Utils.js | 4 ++++ > src/window/AuthEditOpenId.js | 8 ++++++++ > 2 files changed, 12 insertions(+) _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-06-26 10:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-03-18 13:59 [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss 2025-03-18 13:59 ` [pmg-devel] [PATCH pmg-api 1/2] auth: oidc: fix pattern for `client-id` and `client-key` Christoph Heiss 2025-06-26 10:46 ` [pmg-devel] applied: " Stoiko Ivanov 2025-03-18 13:59 ` [pmg-devel] [PATCH widget-toolkit 2/2] window: AuthEditOpenId: add validation for required fields Christoph Heiss 2025-06-26 10:47 ` Stoiko Ivanov 2025-05-16 10:13 ` [pmg-devel] [PATCH pmg-api/pwt 0/2] fix #6214: improve OIDC field validation Christoph Heiss
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.Service provided by Proxmox Server Solutions GmbH | Privacy | Legal